Results 1 to 10 of 10

Thread: Nouveau Becomes Friendly Towards Non-Root X Server

  1. #1
    Join Date
    Jan 2007
    Posts
    14,915

    Default Nouveau Becomes Friendly Towards Non-Root X Server

    Phoronix: Nouveau Becomes Friendly Towards Non-Root X Server

    A few days ago I wrote about the Intel and Radeon drivers supporting the X.Org Server without root rights due to the DDX drivers adding support for server-managed FDs. That support has now been extended to cover the Nouveau driver too...

    http://www.phoronix.com/vr.php?view=MTY1Njk

  2. #2
    Join Date
    Dec 2012
    Posts
    459

    Default

    It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

    I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

    How does this make things better?

  3. #3
    Join Date
    Dec 2011
    Posts
    2,064

    Default

    I wish this was done a decade or two ago...

  4. #4
    Join Date
    Jan 2014
    Posts
    75

    Default

    Quote Originally Posted by Rexilion View Post
    It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

    I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

    How does this make things better?
    s/QT/Qt/

  5. #5
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    96

    Default

    Quote Originally Posted by Rexilion View Post
    It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

    I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

    How does this make things better?
    By marking the input devices as being part of the video group, you allow any user in the video group to read/write to the input devices of other users. On a single user machine, this is still a problem because applications in an inactive session should not be able to read the input. Wayland also moves away from the overly permission X11 input handling where applications can spy on all the input.

    The logind improvements allow for device handles to be passed as file descriptors to an active session. This means there's no need for a setuid binary or overly permissive device nodes. Adding users to groups like audio, video, storage, etc. on a desktop machine is redundant and weakens security compared to logind (and previously, consolekit).

  6. #6
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by strcat View Post
    By marking the input devices as being part of the video group, you allow any user in the video group to read/write to the input devices of other users. On a single user machine, this is still a problem because applications in an inactive session should not be able to read the input. Wayland also moves away from the overly permission X11 input handling where applications can spy on all the input.
    Video group does not have any users. Xorg binary is marked sgid with group video. It runs as user nobody.

    So, unless Xorg itself is compromised no application can 'maliciously' read my passwords.

    Quote Originally Posted by strcat View Post
    The logind improvements allow for device handles to be passed as file descriptors to an active session. This means there's no need for a setuid binary or overly permissive device nodes. Adding users to groups like audio, video, storage, etc. on a desktop machine is redundant and weakens security compared to logind (and previously, consolekit).
    Yeah, that would be better. But for the single user case which I described above, not a direct improvement.

  7. #7
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    96

    Default

    Quote Originally Posted by Rexilion View Post
    [Video group does not have any users. Xorg binary is marked sgid with group video. It runs as user nobody.
    The nobody user is a bit dangerous, since any other processes running as nobody will be able to mess with it (although ptrace_scope=1 closes the very obvious holes).

    Quote Originally Posted by Rexilion View Post
    Yeah, that would be better. But for the single user case which I described above, not a direct improvement.
    Unless the user has multiple sessions, like being logged in at another VT. Either way, compromising X is quite trivial and that's why having it still running as root in 2014 is disturbing. It's a very large pile of mostly crufty code, and many security holes are found whenever someone reviews/audits it.

  8. #8
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by strcat View Post
    The nobody user is a bit dangerous, since any other processes running as nobody will be able to mess with it (although ptrace_scope=1 closes the very obvious holes).
    Xorg binary is not owned by nobody. I use sudo to start the root owned binary as nobody.

    Quote Originally Posted by strcat View Post
    Unless the user has multiple sessions, like being logged in at another VT. Either way, compromising X is quite trivial and that's why having it still running as root in 2014 is disturbing. It's a very large pile of mostly crufty code, and many security holes are found whenever someone reviews/audits it.
    That still is a problem if it were to run under the same user who logs in or using the method I have applied right here.

    I think it's even safer to have it run as nobody:video rather than user:user since this will not allow one to tamper with user docs/files.

  9. #9
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    96

    Default

    Quote Originally Posted by Rexilion View Post
    Xorg binary is not owned by nobody. I use sudo to start the root owned binary as nobody.
    I'm talking about the process running as nobody. Any other process running as nobody such as a compromised service can ptrace it (or do similar stuff). This is how applications like gdb attach to processes that are already running as the same user.

    I think it's even safer to have it run as nobody:video rather than user:user since this will not allow one to tamper with user docs/files.
    You're missing that you expose the X server to all other processes running as nobody. A compromise of the server is certainly close to the same thing as a compromise of your user account since it has access to all of the video and input devices, along with a lot of control over the connected X11 applications.

  10. #10
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    96

    Default

    Creating a specific user for this task would be alright, but making use of nobody is bad practice since it's insecure as soon as you use it for more than one thing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •